We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 5159

Summary: Unhandled SecurityException in HIDDeviceUSB::getSerialNumber()
Product: SDL Reporter: sdlbugs
Component: joystickAssignee: Sam Lantinga <slouken>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: normal    
Priority: P2    
Version: 2.0.12   
Hardware: ARM   
OS: Android (All)   
Attachments: Patch to catch, log and sink SecurityException

Description sdlbugs 2020-05-26 12:19:14 UTC 
Created attachment 4357 [details]
Patch to catch, log and sink SecurityException

As of Android Q (29) and above, a call to UsbDevice::getSerialNumber() can result in a SecurityException being thrown if the caller has not got permission to access the device

https://developer.android.com/reference/android/hardware/usb/UsbDevice#getSerialNumber()

This is not handled in the SDL HIDDeviceUSB::getSerialNumber() and may cause an application to quit.

I have not observed this bug directly, but it has been reported in user devices via the Google Play crash report tool. I suspect that some users may have external storage devices or cameras connected via USB which my app does not have permission to access. Attempting to enumerate all the USB devices with their serial numbers causes this security exception.

As a provisional fix I am catching the exception in HIDDeviceUSB::getSerialNumber(), logging a warning and returning an empty string.

No other UsbDevice member functions seem to have this limitation.

I can't strongly vouch for this fix, because I can't reproduce the problem on my local devices.
Comment 1 sdlbugs 2020-05-26 13:02:01 UTC 
Note that this function is only called if the USB device identifies as a HID device, which should rule out external storage or cameras. It's getting triggered somehow though. Having real problems reproducing it.
Comment 2 sdlbugs 2020-05-26 13:05:48 UTC 
Error reporting devices were a OnePlus7ProTMO and a Motorola One Hyper, both running Android 10
Comment 3 sdlbugs 2020-05-26 13:12:18 UTC 
I've another theory, that in Android 10 you can deny an app access to a particular controller, and then it might also throw the Security Exception when you ask for the serial number, but again I'm just guessing because I don't have access to such a device.
Comment 4 sdlbugs 2020-05-26 13:22:24 UTC 
OK, based on USB documentation https://developer.android.com/guide/topics/connectivity/usb/host

This suggests that if you try to enumerate USB devices before user grants permission then on Android-29/Q/Android 10 then you'll get a SecurityException.

As getSerialNumber() now throws an exception where it didn't before, I think it needs to be added to the list of things not to try until permission is granted. Before Android 10 I think it's safe to call without permission.

Again, all conjecture as I can't test.
Comment 5 sdlbugs 2020-05-27 15:56:16 UTC 
OK, found a person with a test device.

The behaviour with the 2.0.12 code is for the app to crash with the SecurityException if an Android 10 device has a wired controller attached.

You do NOT get the chance to see the 'Would you like this app to access your controller' dialog.

With the attached patch it does not crash, you DO get the permission dialog and everything is fine after that.
Comment 6 Sam Lantinga 2020-05-29 22:38:11 UTC 
Patch added, thanks!
https://hg.libsdl.org/SDL/rev/931ece03fbee